Frigate is an open-source network video recorder (NVR) designed for real-time local object detection on IP cameras. In version 0.17.0, a security vulnerability identified as CVE-2026-33470 arises from missing authorization checks in two API endpoints. First, the /api/timeline endpoint improperly returns timeline entries for cameras beyond the authenticated user's permitted camera set, allowing enumeration of event IDs from unauthorized cameras. Second, the /api/events/{event_id}/snapshot-clean.webp endpoint, which is supposed to enforce camera access restrictions via a dependency on require_camera_access, fails to validate the camera associated with the requested event after event lookup. This authorization bypass enables a low-privilege user, restricted to a single camera, to access clean snapshots of events from other cameras they should not have access to. The vulnerability impacts confidentiality by exposing sensitive video snapshots but does not affect data integrity or system availability. Exploitation requires authenticated access with low privileges but no additional user interaction. The flaw is categorized under CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization). The issue was publicly disclosed on March 26, 2026, with a CVSS v3.1 base score of 6.5 (medium severity), reflecting network attack vector, low attack complexity, and high confidentiality impact. The vendor addressed the vulnerability in Frigate version 0.17.1 by correcting the authorization logic to properly restrict access to event snapshots based on camera permissions.

This vulnerability primarily compromises the confidentiality of video surveillance data by allowing unauthorized users to access snapshots from cameras they are not permitted to view. For organizations relying on Frigate for security monitoring, this could lead to exposure of sensitive visual information, potentially revealing private or proprietary activities, compromising physical security, or violating privacy regulations. Although the vulnerability does not affect data integrity or availability, the unauthorized disclosure of video snapshots can have serious reputational, legal, and operational consequences. Attackers with low-level credentials could exploit this flaw to gather intelligence or conduct surveillance without detection. The impact is especially critical in environments with strict access controls or sensitive surveillance deployments, such as corporate offices, critical infrastructure, or government facilities. Since exploitation requires authentication but no user interaction, insider threats or compromised low-privilege accounts pose a significant risk.

Organizations using Frigate version 0.17.0 should immediately upgrade to version 0.17.1 or later, where the authorization checks have been properly implemented. In addition to patching, administrators should audit user permissions to ensure that camera access is correctly restricted and monitor logs for unusual access patterns to event snapshots. Implementing multi-factor authentication (MFA) for user accounts can reduce the risk of credential compromise. Network segmentation and limiting access to the Frigate management interface to trusted networks can further reduce exposure. Regular security assessments and penetration testing should include verification of authorization controls on API endpoints. If upgrading is temporarily not possible, consider restricting access to the affected API endpoints via firewall rules or reverse proxy access controls to prevent unauthorized enumeration and snapshot retrieval.